The term stakeholder is broad and could
include a very large set of people. For the purposes of the CSA+ exam,
what we call IR stakeholders are those individuals and teams who are
part of your organization and have a role in helping with some aspects
of some incident response. They each have a critical role to play in
some (maybe even most) but not all responses. This presents a challenge
for the IR team because the supporting stakeholders will not normally be
as accustomed to executing response operations as the direct players
are. Extra efforts must be taken to ensure they know what to do and how
to do it when bad things happen.
The likeliest involvement of human resources (HR)
staff in a response is when the team determines that a member of the
organization probably had a role in the incident. The role need not be
malicious, mind you, because it could be a failure to comply with
policies (for example, connecting a thumb drive into a computer when
that is not allowed) or repeated failures to apply security awareness
training (for example, clicking a link in an e-mail even after a few
rounds of remedial training). Malicious, careless, or otherwise, the
actions of our teammates can and do lead to serious incidents.
Disciplinary action in those cases all but requires HR involvement.
There are other situations in which you may need a
human resources employee as part of the response, such as when overtime
is required for the response, or when key people need to be called in
from time off or vacation. The safe bet is to involve HR in your IR
planning process and especially in your drills, and let them tell you
what, if any, involvement they should have in the various scenarios.
Whenever an incident response escalates to the point
of involving government agencies such as law enforcement, you will
almost certainly be coordinating with legal counsel. Apart from
reporting criminal or state-sponsored attacks on your systems, there are
regulatory considerations such as those we discussed in Chapter 5.
For instance, if you work in an organization covered by HIPAA and you
are responding to an incident that compromised the protected health
information (PHI) of 500 or more people, your organization will have
some very specific reporting requirements that will have to be reviewed
by your legal and/or compliance team(s).
The law is a remarkably complicated field, so even
actions that would seem innocuous to many of us may have some onerous
legal implications. Though some lawyers are very knowledgeable in
complex technological and cybersecurity issues, most have only a cursory
familiarity with them. In our experience, starting a dialogue early
with the legal team and then maintaining a regular, ongoing conversation
are critical to staying out of career-ending trouble.
Managing communications with your customers and
investors is critical to successfully recovering from an incident. What,
when, and how you say things is of strategic importance, so you’re
better off leaving it to the professionals who, most likely, reside in
your marketing department. If your organization has a dedicated
strategic communications, public relations, media, or public affairs
team, it should also be involved in the response process.
Like every other aspect of IR, planning and practice
are the keys to success. When it comes to the marketing team, however,
this may be truer than with most others. The reason is that these
individuals, who are probably only vaguely aware of the intricate
technical details of a compromise and incident response, will be the
public face of the incident to a much broader community. Their main goal
is to mitigate the damage to the trust that customers and investors
have in the organization. To do this, they need to have just the right
amount of technical information and present it in a manner that is
approachable to broad audiences and can be dissected into effective
sound bites (or tweets). For this, they will rely heavily on those
members of the technical team who are able to translate techno-speak
into something the average person can understand.
EXAM TIP When you see references on
the exam to the marketing team, think of it as whatever part of the
organization communicates directly with the general public. Don’t
overthink the question if your organization calls this team something
We already mentioned management when we discussed
the roles of incident response. We return to this group now to address
its involvement in incident response for managers who are not directly
participating in it. This can happen in a variety of ways, but consider
the members of senior management in your organization. They are unlikely
to be involved in any but the most serious of incidents, but you still
need their buy-in and support to ensure you get the right resources from
other business areas. Keeping them informed in situations in which you
may need their support is a balancing act; you don’t want to take too
much of their time (or bring them into an active role), but you need to
have enough awareness so all it takes is a short call for help and
they’ll make things happen.
Another way in which members of management are
stakeholders for incident response is not so much in what they do, but
in what they don’t do. Consider an incident that takes priority over
some routine upgrades you were supposed to do for one of your business
units. If that unit’s leadership is not aware of what IR is in general,
or of the importance of the ongoing response in particular, it could
create unnecessary distractions at a time when you can least afford
them. Effective communications with leadership can build trust and
provide you a buffer in times of need.